nginx-记录SSL握手失败 [英] nginx - log SSL handshake failures

问题描述

我正在运行启用了SSL的Nginx服务器.

I'm running an nginx server with SSL enabled.

我的协议/密码设置相当安全，我已经在ssllabs.com上进行了检查，但是-

My protocol / cipher settings are fairly secure, and I've checked them at ssllabs.com, but --

-由于这是我无法控制的http客户端调用的Web服务，因此我担心兼容性.

-- since this is a web service which is called by http clients that I have no control over, I have concerns about compatibility.

要点:

是否可以在nginx日志中记录SSL握手故障(如果发生)(如果发生)?

Is there a way to log SSL handshake failures as they happen (if they happen) in my nginx logs?

例如，我禁用了SSLv3，如果我尝试将"curl -3"(强制SSlv3)发送到我的服务器，则会显示以下信息:

For example, I've got SSLv3 disabled, and if I try to "curl -3" (forcing SSlv3) to my server, then I get this:

• NSS错误-12286(SSL_ERROR_NO_CYPHER_OVERLAP)
• 无法与对等方安全地通信:没有通用的加密算法.
• 关闭连接0 curl:(35)无法与对等方安全地通信:没有通用的加密算法.

• NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
• Cannot communicate securely with peer: no common encryption algorithm(s).
• Closing connection 0 curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

我也想在服务器日志中记录这种类型的错误，使用默认的nginx设置，什么都没有.

I would like to log this type of error in server logs too, with the default nginx settings, there is nothing.

为错误日志启用调试"日志级别将执行我想要的操作，将记录SSL握手错误-但不幸的是，它还会记录太多其他内容，从而使日志过于肿，淹没了其他可能有用的信息.

Enabling "debug" log level for the error log does what I want, will log SSL handshake errors -- but unfortunately it also logs too much other stuff, making the log too bloated, drowning out other potentially useful info.

推荐答案

您可以使用info日志级别.

这篇关于nginx-记录SSL握手失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！